To simultaneously manage multiple systems there are additional subscription options available: Red Hat Insights or Satellite. For managing individual systems you can use yum-plugin-security or OpenSCAP. There are several ways to answer the “am I vulnerable” question. Satellite is intended to be a full-service management platform for handling the configuration, provisioning, entitlement, and reporting (including which CVEs are applicable) of Red Hat systems and software. Insights can detect and warn about a subset of “high priority” issues (and also non-CVE related things like performance-related configurations).
All of the issues are XML External Entity (XXE) vulnerabilities, which have affected Java since 2002. There have been three issues raised in the month of May 2017 relating to JAXP on Red Hat JBoss EAP 7: CVE-2017-7464, CVE-2017-7465, and CVE-2017-7503. Those external entities can do things such as access local network resources, or read local files. A successful attack occurs when XML input contains external entities. XXE is a type of attack that affects weakly configured XML parsers.
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. A flaw was found in the way Bash evaluated certain specially crafted
Glen Wilcox , Emerging Technology Solutions Architect, Red Hat
In April 2016, security researchers published a report that over 3. 2 million unpatched JBoss Application Servers still have known security vulnerabilities which can be used to spread ransomware and other malicious software. The issue of middleware security vulnerabilities is not unique to JBoss middleware and the goal of this session is to raise awareness of the need to ensure architecture and security best practices are followed to prevent middleware from becoming the weakest link in your enterprises security. This session will begin with a demonstration of how one Web Shell exploit works. The remainder of the session will discuss several common reasons that middleware is not maintained and how adopting enterprise best practices, for architecting, deploying and managing security updates (CVEs) via patching can improve the resiliency your enterprise middleware against such exploits. The reports also noted that the patch to correct the vulnerability was release over 6 years ago by Red Hat.
Traditionally systems that handled sensitive data and moving data from one network to another required you to setup an MLS system. Daniel Walsh , Consulting Engineer – Red Hat
This talk will explain and demonstrate using container technology to setup a trusted path system. This talk will explain how you can build more secure trusted path systems with tools provided by containers, including SELinux, Namespaces, Cgroups and other technologies, With container technology you can build a much more secure system then relying on just MLS alone. You can even build a trusted path system without requiring MLS.
So, using the line of thought that fresh containers are better than older ones, we use a grading system of A through F to describe the freshness of a container image and associated security exposures. Specifically, the age and the criticality (rated Critical or Important) of the oldest flaw that is applicable to the container image.
Your official source for the latest information on Red Hat’s IT infrastructure products, offerings, and solutions. Red Hat Enterprise Linux Blog.
This cryptographic system relies on the properties of supersingular elliptic curves to create a Diffie-Hellman replacement with forward secrecy. Because it works much like existing Diffie-Hellman implementations, it offers forward secrecy which is viewed as important both to prevent mass surveillance by governments but also to protect against the compromise of long term keys through failures.
This includes container platforms, deployment pipelines, actors, and the relationships between all of them. Tariq Islam , Senior Specialist Architect, Red Hat
Security is more than just a bullet point on a slide deck. In this session, we’ll walk through the primary tenets of security as they pertain to DevOps and container platforms. And in the context of deploying containerized applications and microservices into a container platform, it’s crucial that security become an integral and all-pervasive enabling aspect in each component of the processes and the technologies being employed. From the underlying kernel to the running applications, all the way through to the acting users and monitoring tools, you will walk away with a better understanding of what security really means for DevOps and container platforms, and how to get there. Its anatomy must be a default and comprehensive approach to the deployment culture. We will discuss how security can and must be interwoven into every component and every step of the deployment process. We will look at practical real-world deployment pipeline examples as well as examine the necessary implementation attributes of a container platform and its tool-chain to produce a robust and viable solution for federal agencies and beyond.
Furthermore, the recent cryptographic advances against the SHA-1 algorithm used for digital signatures, demonstrate the need for algorithm agility in modern infrastructures. That risk is not being confined to the users of the obsolete technologies; as the DROWN and other cross-protocol attacks have demonstrated, it is sufficient for a server to only enable a legacy protocol in parallel with the latest one, for all of its users to be vulnerable. SHA-1 was an integral part of the Internet and private Public Key Infrastructures and despite that, we must envision a not so distant future with systems that no longer rely on SHA-1 for any cryptographic purpose.
Perform a vulnerability scan of a RHEL 6 machine. Security issues are identified by Red Hat Security Advisories (RHSA) are mapped to CVE identifiers that are .
Red Hat Enterprise Linux Supplementary (v. Red Hat CVE Database; Security Labs;. 6) (chromium-browser) RHSA-2017:2792: 2017-09-25: Mitigation External References.